Background
A complaint was received from the director of a securities firm stating that there was an unauthorized execution of a call option resulting in a loss to the complainant. The complainant company was dealing in sales and purchase of shares on behalf of clients. As a broker of the stock exchange they were providing trading facilities of the equity and futures and options markets to their sub-brokers/high net worth individual clients. This was done at the clients’ premises through ISDN lines/normal telephone lines/ VPN with predefined passwords and user IDs on their trading terminals. As per the complaint a fraudulent trade was executed by selling a call option by using the user ID and password provided to one of the complainant’s client. An interesting aspect was that this call option was the most inactive for trading purposes and no trade had taken place except for the fraudulent trade. The said call option was compulsorily exercised by the exchange thus resulting in a loss of INR 0.05 million to the complainant and wrongful gain to the culprits.
Investigation
The stock exchange provided the details of the trade log for call option of buyer and seller. The user ID that was used to book the order could be traced from the information provided. Some of the information that was provided was: - Date - Buy Client Name/Address - Trade Number - Sell Member Code - Trade Time - Sell Trading Member Name - Trade Quantity - Sell Client Code/Name/Address - Buy Time - Buy Order Number - Buy Name - Sell Order Number - Buy Client Code The complainant’s client was examined who stated that they had not executed this trade. The data of the computer installed at their premises was scrutinized for system error log, access log, event log and broadcast server log. The analysis of the logs revealed that the computer system of the client was not logged during the days when the fraudulent trades were executed. The configuration indicated that for executing the transaction through the internet, access to the network was imperative. Such access was authorized by the firewall installed at the network of the complainant. The firewall (which generated the log details) provided the IP address used to logon to the system to execute the transaction. The firewall details as well as the server of the complainant were taken to the police computer lab and analysed using forensic tools. The transactions logs could not be recovered from the firewall server as the same was designed to be emailed to a specific email ID. However, the information collected from a securities firm revealed the details of an account through which the fraudulent transaction was executed. The ownership details and logs for the email ID were collected from a web host company and were found to be belonging to the very person who had designed the firewall for the complainant company. Thereafter, the mobile phone details of the accused were collected which revealed that he was in contact with the co-accused (the person who had designed the firewall for the complainant company). This gave the first indication that a conspiracy existed between the accused persons. Based on this information simultaneous raids were conducted and the accused were arrested. The interrogation of the accused revealed the modus operandi on how the fraudulent transaction had been executed. The accused had provided the copy of the programme (which had access, firewall file, password and other details that were required for configuring the computer system) to the co-accused. The Central Processing Unit was configured by the co-accused and the same was taken to cyber café and on the pretext of downloading software. The accused downloaded the software from the attachment in his e-mail account and executed the transaction by installing the software on the computer.
Case Studies 
